Re: NT4 worm

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

Are the machines you have experience especially NT4.0 machines?
It appears that one of the PoC's (public on Monday 28th Aug) lists the following information:
"Systems Affected:
*  Microsoft Windows 2000 SP0-SP4
*  Microsoft Windows XP SP0-SP1
*  Microsoft Windows NT 4.0"

but reportedly it is tested against XPSP1 and W2KSP4 systems.

I believe that fully patched NT4SP6a/SRP shipped with Netapi32.dll is affected.

- Juha-Matti


"Geo." <geoincidents () nls net> wrote: 
> Has anyone seen a writeup on this new NT4 worm that's spreading via port 139
> MS06-040 yet? I'm seeing customers getting hit by it but I haven't seen any
> real mention of it anywhere yet. It appears to run two CMD.EXE hidden
> windows and sucks up all the cpu in the infected systems trying to spread.
> I've also seen one customer who found csrsc.exe on the machine after the
> worm hit them.
>
> I did manage to find out once it exploits a machine it uses ftp.exe to
> connect back to the infecting host and transfer something but I've not had
> time to really dig into this thing. Hoping someone else has already. Looks
> like it's spreading pretty quick
>
> http://isc.incidents.org/port_details.php?port=139&repax=1&tarax=2&srcax=2&p
> ercent=N&days=40
>
>
> Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/